European Parliament – moving forward on NIS2.
David Harmon is the EU Huawei Cybersecurity and Privacy Director.
The ITRE committee in the European Parliament on October 28th 2021 approved the provisions of the NIS2 directive. This law will introduce new rules across the 27 member states of the EU to improve the security of networks and information systems. This is a very important piece of legislation.
The EU institutions are enacting a range of different measures to improve the level of cybersecurity in Europe. Such initiatives are necessary to protect European industry and companies alike from cyber-attacks that can have such a draconian effect on business operations. Moreover, technology is now a key cog in the wheel that will deliver new innovative solutions, processes and products across many vertical sectors.
Technology is no longer the domain of the telecom sector alone. That day has long since passed. Technological innovation is moving centre stage, for example, within the workings of the transport, financial services, energy, health, smart city, manufacturing and education sectors.
Key elements of NIS2
The central rationale of NIS2 is to guarantee that businesses working within the European supply chain are providing products and services that are safe and secure. Companies in Europe must carry out supply chain risk assessments so as to be assured that enterprises that they work with do not pose a risk to the European supply chain. Companies covered by NIS2 must take the appropriate measures related to supply chain security taking into account possible vulnerabilities specific to each supplier. The scope of the EU NIS2 directive is quite far-reaching.
The original NIS1 directive back in 2016 covered a number of sectors that included the banking, transport and energy areas. Elements of the digital infrastructure sector also fell under the remit of NIS1 including cloud services. The telecom sector now falls under the provisions of the NIS2 directive and this also includes enterprises that are providing data centres. The manufacturing, public administration, space, chemicals and wastewater sectors fall under the extended scope of NIS2 too.
How to make NIS2 a success?
A stronger governance architecture for cybersecurity in Europe will be a central feature of NIS2. ENISA (European Network information Security Agency), the European Commission and the 27 EU member states will work more closely together in drawing up risk assessment and mitigation strategies covering the security of supply chains in Europe. The key requirement that businesses want concerning the roll-out and implementation of NIS2 is certainty. Companies want to take decisions knowing exactly what the rules of engagement are in the context of NIS2.
As the NIS2 proposal now stands, EU member states do have a lot of discretion in deciding how to enact NIS2. Countries can invoke non-technical criteria in carrying out an assessment of a prospective security risk to the European supply chain. I believe that the place or origin of a supplier should not be a criteria that should be permitted to be included as a risk to the European supply chain.
ENISA, the European Commission and the 27 member states of the EU should draw up harmonised technical rules that will clearly lay down a zero trust approach in strengthening the security of supply chains in Europe. This will also play an important role in avoiding any fragmentation in the effective operation of the internal market in Europe under future NIS2 arrangements. The building of a zero trust approach for an effective roll out of NIS2 across Europe should be based on the principles of openness, transparency and non-discrimination.
Such a strategy will give small, medium and large-scale businesses in Europe the certainty that they need in complying with both the spirit and legal obligations of NIS2. The bottom line is that supply chain risk should be based on hard evidence and on approved and certified international standards.
Cybersecurity is of course a global challenge. It would be in the interest of the European Union to push for international cybersecurity standards in the area of supply chain risk. Securing such an agreement between the EU together with other relevant international organisations will provide higher levels of cybersecurity and avoid unnecessary bureaucratic burdens.
Next stage in the NIS2 legislative process
NIS2 will be a priority for the French Presidency of the European Union that will commence in January 2022. There are still a lot of issues to be resolved under NIS2 that include matters that are connected to reporting obligations in the case of a cyber incident, the cap size of companies that fall under the scope of this legislation and on agreeing which sectoral categories are designated as important or essential for the purposes of NIS2.
The public and private sectors have a shared responsibility in delivering higher levels of cybersecurity for our society. Let us work together with a common purpose and in a spirit of determination so that the objectives of the NIS2 directive can be fully realized. The timeframe for the transposition of NIS2 into the national laws of the 27 member states of the EU is the year 2024.